OFAC Compliance Strategies: Interview with Geff Vitale, AML Education Manager, MetavanteThe U.S. Treasury's Office of Foreign Assets Control (OFAC) maintains a list of individuals and organizations that represent security risks to the U.S., and businesses are required to screen their customers and transactions against this list.
But how does one filter correctly and interpret aliases properly to stay in OFAC compliance?
In an exclusive interview, Geff Vitale, AML Education Manager, Metavante Risk and Compliance Solutions, discusses:
Vitale manages training of Anti-Money Laundering and Prime Compliance Suite for Risk and Compliance Solutions of Metavante Corporation. He is responsible for leading the development and delivery of training services to help financial institutions meet regulatory requirements for AML training, develop implementation procedures for the Prime Compliance Suite and develop training programs for end users. He has more than 8 years of experience in the financial services industry.
TOM FIELD: Hi. This is Tom Field, Editorial Director with Information Security Media Group. The topic today is interpreting aliases on the OFAC list. We are speaking with Geff Vitale, AML Education Manager with Metavante Risk and Compliance Solutions. Geff, thanks so much for joining me today.
GEFF VITALE: Thank you, Tom.
FIELD: Geff, why don't you tell us a little bit about yourself and your role at Metavante, and give us a sense of what types of organizations you work with on a daily basis.
VITALE: Sure. I manage the training to prevent money laundering, and also the training for the Metavante Prime Compliance Suite Solutions. I am responsible for basically heading up development and delivery of training services, but along with that, I also develop AML training, implementation procedures and also other training type programs. It also leads me into being a consultant for different financial services, or institutes. Mainly, we work with banks and insurance companies, but lately, we have been seeing a little bit more of an interest in our products from the nonfinancial institution sector, such as just regular corporations, with mandates, etc. So, with all of that, I also design workflow design, implementation, product usage evaluations, documentation development, and also a solution and application design.
FIELD: So, Geff, you and I have spoken a little bit offline. Give our listeners a sense of what some of the OFAC list challenges are right now for financial institutions.
VITALE: There are a couple that everybody seems to be facing. The underlying one that has always been there from the beginning is the incomplete, or the out-of-date information. This affects a lot of what institutions have to deal with, because they are expected to filter for information that is either incomplete or just not there. And, an example of that has to do with the latest addition of the Iranian vessels, where OFAC has issued a list of Iranian vessels, but at the same time says "This is not a complete list, and you should augment your interdiction software." So, when you, when you hear things like that, you kind of say, "Well, wait a minute. I'm required to legally filter against the OFAC list, but OFAC is saying they don't have all the information." So, this is definitely a challenge for every institution. Another challenge that institutions face is examiners. They are going above and beyond what the mandate of OFAC is. They are kind of utilizing the OFAC matching to increase awareness of the institution's risk, and also utilizing the interdiction software, to identify other types of risk ... So, by examiners expanding the expectation of what the interdiction software should do, it also puts a burden or a challenge on the institution. And then, of course, there is always the fear of noncompliance, and there should always be a fear of noncompliance. But I think the fear has been escalated to a point that it is sort of out of control. OFAC has recently presented, at the IPSA conference, indicating that people have this unfounded fear of noncompliance, or that violations will get through, when in actuality they have only issued maybe about a dozen fines for institutions blatantly not filing or filtering appropriately, but the majority of the violations that they do handle, or are aware of, in the end, don't result in fines, but they do result in the institution taking some kind of remedial action, in order to try to ensure it doesn't happen again.
FIELD: So, let's just talk about this a little bit, Geff, because the ramifications are of interest to me. Let's say that a financial institution isn't in compliance, or isn't filing appropriately. What does this mean for a financial institution? What are the challenges if they don't have their OFAC program down properly?
VITALE: Well, one, my whole thing with not complying with OFAC is that you are facilitating the funding of terrorist organizations, or individuals that are breaking the law. So, to me, that is one, but that's sort of a business requirement. Granted, you're not in business to help prevent terrorists from getting their funding, but that's what we sort of do. Really, what it is is that you need to make sure that you're filtering correctly, that you are catching those things, because if you're not, you face closure of your business, because you are noncompliant. Massive fines that could also put you out of business or hurt your bottom line. You also face a major reputational risk. Many institutions may not be fined with anything in particular, or a very small monetary fine, they might be slapped on the wrist, but when it gets out into the public and the public finds out that you facilitated the funding of a terrorist organization, that hurts your customer base. And some customers really will go someplace else to do their business.
FIELD: That makes sense. Geff, what are some of the strategies and solutions that you recommend for financial institutions to stay in compliance?
VITALE: I always recommend working with the vendor. Most interdiction software vendors do have some sort of service wrapped around their product, to help you optimize the usage of that software. I am not going to say that I'm an expert on every possible interdiction software out there. There are many different flavors around the world that do things differently. What is important is that you understand how that particular solution that you've implemented works. Because, if you don't understand how it is doing its matching, you won't be able to understand how to best optimize that. So, you definitely need to have a close relationship with your vendor, to understand these things. And also, the expectation of your examiner is that you also have that intimate knowledge of how that interdiction software is working. The other thing is I see a lot of places put up a lot of roadblocks when it comes to policies and procedures. You really need to make policies and procedures flexible, so that way you can incorporate changes. The names on the list are dynamic. You set them today, and for the next year it is going to do the same. You need to be able to say, "Okay, we evaluated it today, we needed to make a few adjustments, we incorporated those adjustments, and now we are tuned properly." But if the list changes, you need to evaluate the effect of that change to your matching. Now, most of the time the changes do not affect your hit rate, or if they do, it is very insignificant. But if you do have a massive increase, for whatever reason, you need to be able to adjust that system. But, many places, their policies and procedures prevent that type of adjustment, or that adjustment takes so long to get approval that it become ineffective. So, you really need to be flexible with those things. Then, the last thing is the vendors know the product best, and they will make recommendations to help your institution. What I recommend is that you act upon those recommendations. I have spoken with other vendors who provide interdiction software and services, and they say they face the same challenges, the institutions ask them to come in, evaluate, and recommend changes, and then they never implement those changes, so they never get from that inefficiency to a more efficient matching process.
FIELD: So, you have worked with a number of financial institutions. What are the types of results you have seen them realize, from using some of these solutions and advice properly?
VITALE: Well, the first major result that anybody is trying to do, whenever you are tuning your interdiction software, is a reduction in your false positives. You really want every match to be a relevant match, something where you look at it and you say, "Yes, I need to investigate this one further." What you don't want is to go through a hundred matches, where you say, "Nope, not a match, not a match, not a match, not a match," and it takes you a hundred of those to get to the one where you say, "Oh! Got to investigate that one." So, typically, with these types of things, you get to that point where you are looking at every case, and almost every single case, or match, is something that you really do need to investigate further. Now, the converse of that is when your examiner says, "Hey, you are just not doing this to the level of satisfaction that I would like." And we will talk about that, a little bit about examiners expanding beyond what the intent of OFAC is. So, they say, "You need to match on more obscure names." And when you do that, you increase your false positives, but at the same time, the vendor could (1) help you tune that to match what the examiner is looking for, but then, (2) also reduce a lot of that noise, or just those clearly obvious false positives, to try to get you back down to a level of "Yes, you need to investigate each one of these matches."
FIELD: So, Geff, one last question for you. As you know, resources are tight for many institutions these days. When it comes to this type of interdiction software and solutions and strategies, how does a banking and security executive go about making a solid business case, to invest in these solutions?
VITALE: Well, with making any business case, you are trying to determine what is the return on investment. Unfortunately, there truly is no return on investments, there is just the idea that you are not going to have to payout fines, and that is what you are really trying to make the case for, is that if we do these things, we won't have to pay millions of dollars in fines. So, (1) everything is required by law, as far as the OFAC matching. Everybody should be familiar with that whole law. (2) Examiners will cite any kind of deficiencies. So, what you don't want to do is wait until the examiner comes in and says, "Wow! You are way out of line with your matching. You really need to figure out how to make this stuff work better." And they are going to cite you for that, which means now you are going to have to throw resources at that. So, it's better that you have everything set up appropriately before they come in and hit you or cite you for that. Um, also, you want less risk of a violation going through. (1) You want to reduce the funding of terrorist organizations, or drug dealers, or any bad guy. And, (2) we want to reduce the risk of the institution having to pay out for a fine, and also reduce the risk of the reputation being tarnished by the public finding out that you allowed a transaction to go through that should not have. We also will be more efficient, which will help require less personnel. So, if you are able to more efficiently tune your filtering engine, and get through your matches quicker, you don't need to throw more bodies at it in order to handle the load. Then, there is no, or minimal fines that will come about with this, because of your diligence, in making sure that everything is set up efficiently. Now, when I was saying that some examiners are blowing some things out of proportion, as far as what OFAC is used for, and they are trying to utilize it for more than just what its, what OFAC's intent is. And the recommendation that I received from a compliance officer at OFAC is that when you run into a situation like that, you need to have a three-way talk, you need to call OFAC and talk with a compliance officer there, along with your examiner, because sometimes the examiner doesn't have a full understanding of what the OFAC intentions are. And so, having a three-way conversation will help you get to something that is more reasonable, as opposed to the examiner just saying, "I expect this type of level of matching, and it's just not what OFAC is expecting."
FIELD: Geff, there is one last question I wanted to ask you, because when you initially contacted me, you were talking about the challenge of aliases on the OFAC list. So, I'd like to ask if there are a couple of things about aliases that you really want financial institutions to know as they are going about dealing with their OFAC list.
VITALE: Yes, uh, one part of the aliases on the OFAC is that they are inconsistent. They supply them throughout the list in an inconsistent manner. An example of that is on a nonindividual, or an entity, they might put the name of the entity and then, in parentheses, put "Or [some other name]." But then, on an individual, they might actually list out the alternate first names of that individual, as separate aka's, without the associated last name inside that particular component. So, what this does, in many interdiction software, is say, "Okay, I need to match on just this first name." Well, how many thousands of customer records or transactions will that match against? It's just unrealistic. So, really, they recognize that there is a deficiency on their end, but at the same time, you need to counter that deficiency by making sure that your interdiction software does have the appropriate names to match against.
FIELD: Well, that's good advice, and I appreciate your time and your insight, Geff. It's been very helpful.
VITALE: Thank you.
FIELD: We've been talking with Geff Vitale with Metavante Risk and Compliance Solutions. For Information Security Media Group, I'm Tom Field. Thank you very much.